Fortune 500 attendees and presenters from Security Operations, Network Operations, and IT Operations had the chance to discuss how security orchestration and automation enables teams to quicken incident response, all while networking with fellow leaders in the rare London sun. Resolve Systems’ Zahi Yaari, acting as Master of Ceremonies, defined the event as successful if people walked away with additional best practices of incident response and a few new connections to continue the conversations.
What were the main takeaways of the Summit, according to the attendees? With more than a half dozen presentations, keep reading to see our top 3 from the sessions.
Takeaway #1: Realize synchronized, effective outcomes as part of the end-to-end process with security orchestration and automation.
Adrian Dunbar, the Director of Continuous Improvement Support of BT Global Services, presented on “Delivering Service Orchestration” and the initiative to transform the organization from agent-dependent to centralized service orchestration. He suggested, to realize this for yourselves, to do a few things:
- Remove or reduce complexity from engineers
- View, maintain, control, and configure business logic from one application
- Allow business owners to control business rules
- Maintain business rules as executable instructions – making them real and current helps life-cycle management
With one hub, focused on service orchestration, automations are synchronized and realize effective outcomes, rather than operating independently.
Larry Lien, Resolve Systems’ CPO, also supported this best practice by discussing issues in resolving incidents and how an organization could start small – automate whenever it makes sense – to reduce manually pulling data from multiple systems to validate and isolate incidents.
Enterprise-wide security orchestration and automation can save time when a breach occurs and prioritizes alerts or incidents. The more automated your process becomes, whether human-guided or closed-loop, could mean reducing MTTR from 61minutes to a few minutes or even seconds.
Want to see how a company reduced MTTR from 1,889 minutes to 1? Read how in The Financial Impact of Incident Response and Automation Report now.
Takeaway #2: Level up! Empower the people by reducing or eliminating mundane tasks.
“The ultimate stage is that of digital transformation and is achieved when the digital usages which have been developed enable innovation and creativity and stimulate significant change within the professional or knowledge domain.”
– Digital Literacies: Concepts, Policies and Practices, C Lankshear, M Knobel – 2008
Finding, hiring, and keeping people is hard work; with automation, there is often a question about whether jobs will be “automated away”.
Multiple presentations throughout the day addressed this touchy subject; however, they all saw in their organizations that automation was not about eliminating headcount but on the contrary, taking care of the nuisance, mundane tasks, and false alerts, so the critical employees could work on things which excite them. Having your employees work at what they’re trained to do or good at, keeps the strong employees at the company – and more importantly, keeps them motivated in your SOC.
An automation strategy, including vendor selection, needs to be tied to the overall technology, people, and corporate strategy as Lee Bonham pointed out. Resolve Systems considers this critical to an organization’s success as well. Our customers succeed when their IT operations, security operations, and network operations teams are united. With new technology comes an increase volume of alerts; security teams are receiving alerts that impact the entire IT infrastructure and their respective owners and teams. Working together to achieve successful incident response is mandatory, so an enterprise-wide tool is a must-have in today’s environment.
Tom Burton, founder of Cyhesion, presented on the mismatch between employee effort and value delivered to the business. Helping skilled, smart analysts do more “smart stuff” – applying the 80/20 rule, so to speak – and spending less or no time drudging through a task list which could be easily automated eliminated inefficiency which drive staff requirements. Since cybersecurity skills are increasingly difficult to find, with a million cybersecurity job openings in 2016 alone according to Forbes, retaining employees with high levels of job satisfaction is increasingly critical. Tom outlined the ways Orchestration and Automation help, specifically with:
- Automation of known and defined threats
- Decision support for known but ill-defined threats
- Knowledge capture of how to handle previously unknown threats
Tom’s mantra? “Do once, do well, learn, and automate for the future.”
Takeaway #3: Incident Response is more than just technology.
How many times have you been asked “didn’t you see my email?”. That’s not really the best way to handle incident response, is it? The attendees and presenters of the Incident Resolution Summit were in resounding agreement.
Damien Barry, Global Head First Line Support of Nomura, discussed the evolution of technology used to resolve incidents – everything from telephone and faxes to email and chat bots. A constant barrage of emails is the current status quo, but are often limited with explanation, instructions, or actions to take. Creating a culture of communicative response, with technology, is the only way to resolve incidents quicker. Want to know more? He recommends the book Team of Teams by General Stanley McChrystal.
In the session “Cyber Defense in 2017: Working in a world where breaches happen” Tim Anderson, Associate Director – Cyber Defense Operations of NCC Group, talked about MDR (Managed Detection and Response) and how the best cybersecurity professional can have all the right tools and best ingredients but needs a supportive team if anything goes wrong. MDR is the next generation of MSSPs – and much more effective. MDR is when an analyst uses research, technical threat intelligence, technology, hunting, and incident response to dramatically increase their ability to manage, detect, and respond to both known and unknown threats in the shortest possible time frame.
With dozens of attendees making the Incident Resolution Summit a success in London, Resolve Systems has to say a special thank you to the presenters who provided insight and best practices of incident response and building a culture to make automation successful and to make their organizations successful with automation.
Gavin Millard of Tenable said it best when presenting on containers (a standardized unit of software). With attack surfaces changing, from traditional IT and a virtual environment to IoT, cloud, and containers, “Operations capability to deploy has surpassed Security’s ability to identify and assess.” Mind your container gaps to decrease the odds of your business being impacted when a cyber incident occurs.
Resolve Systems fundamentally reduces the time to respond and resolve security incidents. For more information, contact us now.
*Cisco ASR report: https://www.cisco.com/c/en/us/products/security/security-reports.html